On day four we will spend the first half of the day finishing up logical structures of the top three operating systems, followed by lecture and lab on assembling RAID 0 and RAID 5 arrays. We start the day finishing up Windows and NTFS with the unusual differences between Vista and XP with regards to data recovery. You'll look at options like Shadow Copy file recovery, changes to the structure of files in the recycle bin as well as info2 files.

Mac OSX HFS+ partitions when Mac OS X can't repair or recover from them. During these sections we will use reference material and discuss the nature of each operating system, touching on its basic format and file structure. Labs during this day will include HFSExplorer where we can see the B* Tree structure stored in the Mac OSX Catalog. We will then move on to examining the basic functions and software available to recover Linux EXT 2/3 and Reiser partitions. There are additional tools used to recover and rebuild Linux that will include tools like R-Studios, Disk Explorer for Linux.

In the afternoon we will begin with an examination of the HPA's (host protected area) effect on JBOD, how to review custom arrays created by different manufacturers, and RAID 0/5 arrays. At this point, our only interest is in addressing the functions necessary to recreate the RAID arrays to be able to retrieve data, not to rebuild them to put the array back in place. With this, you'll be able to deliver that retrieved content back to whomever needs it.

The labs for RAID 0 and RAID 5 will include several premade images, which we will process. I will show you what happens when you have the settings for RAID wrong, quick and easy ways to identify the problems and how to find the correct settings by doing entropy by sight or sound and correcting the issues so you can do a successful recovery. I will also demonstrate how you can do some of these functions faster using other tools like X-Ways Forensics and R-Studios and Raid Reconstructor.